CVE-2021-46117: jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail.
jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code.
Security readout for executives and security teams
Plain-English summary
CVE-2021-46117 describes remote code execution in JPress 4.2.0 through editable email templates in the admin panel. If an attacker can reach and use that template-editing function, they may inject code that runs on the server. The source bundle does not provide CVSS, authentication requirements, or a confirmed fix.
Executive priority
Treat this as high priority for any internet-facing or business-critical JPress 4.2.0 deployment. The impact is potentially server code execution, but urgency depends on admin-panel exposure and access controls because the public sources do not establish exploitation or prerequisites.
Technical view
The reported flaw is in io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel email-template feature can accept malicious template content, leading to remote code execution when the email path processes it. Available sources identify JPress 4.2.0, but do not define affected ranges, prerequisites, patch version, or CWE.
Likely exposure
Exposure appears limited to deployments running JPress 4.2.0 where the admin panel and email-template editing function are accessible. The sources do not confirm whether prior authentication, administrator privileges, or another vulnerability is required to reach the vulnerable function.
Exploitation context
The CVE is not listed as KEV in the provided bundle, and no cited source claims active exploitation. Public details are sparse: they describe the vulnerable function and template injection path, but not real-world attacks, exploit maturity, or reliable detection indicators.
Researcher notes
Key gaps are authentication requirements, affected version range, patch status, and execution context. Validation should focus on reproducing exposure safely in a controlled environment, reviewing the linked issue, and mapping whether template edits can reach PageNotifyKit#doSendEmail without privileged access.
Mitigation direction
Check JPress project guidance for a fixed release or official workaround.
Restrict JPress admin panel access to trusted administrators and networks.
Review email templates for unexpected code or recent unauthorized changes.
Audit administrator accounts and rotate credentials if compromise is suspected.
Increase monitoring around template edits and email-sending activity.
Validation and detection
Inventory systems running JPress and confirm exact deployed versions.
Determine whether any instance is running JPress 4.2.0.
Verify who can access the admin panel template editor.
Review change logs for email-template modifications around suspicious times.
Confirm whether vendor guidance identifies an upgrade or configuration workaround.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jan 26, 2022, 15:15 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.